Skip to main content
Permutive operates as a data processor, processing personal data on behalf of our customers who act as data controllers. Under the GDPR and ePrivacy Directive, data controllers seek consent from their users to process personal data on their behalf. As a data processor, Permutive provides consent mechanisms for data controllers to signal to Permutive that they have obtained consent to process data for a user. Permutive provides two different consent mechanisms that customers can configure for their Permutive deployment, in addition to a mechanism for offering users the option to opt out of all tracking. These are described in the sections below. Permutive’s consent-by-token mechanism ensures no user data is collected or processed until a data controller has received consent from the user. Data controllers signal the user’s consent via a token to the Permutive SDK. Once the Permutive SDK has been granted consent for this user, the SDK will start collecting & processing user data from this moment on only. The user can revoke this consent at any point. To configure your Permutive SDK in consent-by-token mode, set the consentRequired configuration field to true: 
<script>
  !function (n, e, i) { ... }(window.permutive, '<API_KEY>', '<WORKSPACE_ID>', { 'consentRequired': true })
  permutive.addon('web', {
    page: {
      // ...
    }
  })
</script>
No user data will be tracked by the SDK until it receives a consent token for the user. Once you have obtained consent for the user, it can be passed to Permutive by calling the SDK consent method with the consent token: 
permutive.consent({ "opt_in": true, "token": "<CONSENT_TOKEN>" });
From this point on, the SDK will track user event data — or until the user wishes to opt out.

More information on SDK configuration for different environments

Web

iOS

Android

If consentRequired is not specified or is set to false, Permutive assumes the data controller has consent to track their users’ data. In this configuration mode, which we call consent-by-default, the collection of user data starts from the first time Permutive’s SDK loads without requiring a consent token be passed by the controller for the user.

Opt out

You may choose or be required to offer users the option to opt out of tracking. All future tracking is then disabled for the user until the point they opt back in. Whether the SDK is configured to have consentRequired as true or false, a user can be opted out by setting the consent opt_in field to false: 
permutive.consent({ "opt_in": false });
As a data processor, Permutive relies on consent obtained by the data controller, passed to Permutive using the consent mechanisms described above. For customers who use a consent management platform that relies on the Global Vendor List (GVL) to display their vendors to consumers, Permutive is also registered on the GVL for IAB Europe’s Transparency & Consent Framework (TCF) as of TCF v2.3. Our GVL ID is 361 and we operate under Purpose 1 (store and/or access information on a device) only, as is recommended for data processors by IAB Europe.